The key to using the DFW/Service Composer at scale is to have an appropriate security framework. This framework should be well thought out and designed from the outset to accomodate hundreds or thousands of rules. One of the main points of the security framework that you will build most things on, will be an appropriate security grouping framework.
I have personally helped customers implement their security posture using DFW/Service Composer and they have anywhere from 50 rules right up to 50,000 rules. You must also keep in mind that a lot of the power of NSX comes with the fact that it can be driven programatically, so the customers who have large rule bases also look to automation to help them out, and if automation is going to a factor in the future, your security framework must cater for it from the beginning.
Have you read the following document?
If you get your framework correct, it will allow you to provision and life-cycle rules/applications with ease and do it programatically if required. If you get it wrong, like with most firewall products, you will find making changes to the rules/policies cumbersome or complex.
Can you elaborate on the functionality that your missing from Service Composer? What would you like to see in Service Composer that would sway you to use it?
I too had similar question in my mind when implementing the DFW rules & policies.
The grouping ,section & Applied TO functionality makes it very simple to configure & manage the rules.
The search functionality provides ease & flexibility during troubleshooting or during any rule check.
rajeevsrikant are you able to expand on this search functionality as the filtering i find in NSX starts to fail the more and more complex rules, sections you have. The only workaround i have managed to find is to dump the entire nsx firewall, ip sets, groups etc and then go through it.
The grouping and sections (with apply too) are failing also because there are just TOO many! when we first started off with a hundred or so rules, it was kind of fine, now we have more and more firewall rules, sections its becoming a management nightmare. Even the sections if you come up with a naming convention and someone decides to create a new sections in a random location, its hard to find that as there is no further section grouping and ordering.